SolarWinds CEO: Attack Was ‘One Of The Most Complex And Sophisticated’ In History

Hackers first accessed SolarWinds in September 2019 and went out of their way to avoid being detected by the company’s software development and build teams, SolarWinds CEO Sudhakar Ramakrishna says.

Hackers first accessed SolarWinds in September 2019 and went out of their way to avoid being detected by the company’s software development and build teams, the company’s new CEO said.

“The SUNBURST attack appears to be one of the most complex and sophisticated cyberattacks in history,” Sudhakar Ramakrishna wrote in a blog post Monday. “We recognize the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future.”

Hackers invested a lot of effort to ensure their code was properly inserted and remained undetected, prioritizing operational security to avoid revealing their presence to SolarWinds developers, CrowdStrike wrote in its own blog post Monday. SolarWinds is working with CrowdStrike, KPMG, its legal counsel DLA Piper and other industry experts to perform a root cause analysis of the attack, according to Ramakrishna.

[Related: SolarWinds’ New CEO Will Make These 5 Changes Post-Hack]

Several safeguards were added to the hacker’s malware to ensure the SolarWinds Orion builds didn’t fail, which CrowdStrike said could have alerted SolarWinds developers to the adversary’s presence. Specifically, CrowdStrike said the malware monitors running processes for those involved in compiling the Orion product and replaces one of the source files to include the backdoor code into Orion.

SolarWinds, KPMG and CrowdStrike were able to locate the malicious code injection source, according to Ramakrishna. The three companies have reverse-engineered the code responsible for the attack, enabling them to learn more about the tool that was developed and deployed into SolarWinds’ build environment, Ramakrishna said.

The earliest suspicious activity on SolarWinds’ internal systems identified by the company’s forensic teams in their current investigation dates all the way back to September 2019, Ramakrishna said. That’s even earlier than the previously identified start date of October 2019, which is when FireEye CEO Kevin Mandia said last month that innocuous code changes were first made on the Orion platform.

Specifically, Ramakrishna said the threat actor first accessed SolarWinds on Sept. 4, 2019, and then eight days later injected test code and began a trial run of its attack. The October 2019 version of Orion appears to contain modifications designed to test the hackers’ ability to insert code into SolarWinds builds, he said. The test code injections ended on Nov. 4, 2019, according to Ramakrishna.

Then on Feb. 20, 2020, Ramakrishna said the hackers began inserting the malicious code into Orion Platform releases starting on February 20, 2020. The hackers remained undetected and removed the malicious code from SolarWinds’ environment on June 4, 2020, according to Ramakrishna. The massive attack was reportedly carried out by the Russian foreign intelligence service, The Washington Post has previously reported.

From June 2020 until today, SolarWinds investigated various vulnerabilities in its Orion platform, and either remediated or initiated the process of remediating those vulnerabilities, he said. However, the company didn’t identify the vulnerability now known as SUNBURST until December, he said. SolarWinds said its then-CEO Kevin Thompson was advised by a FireEye executive of the Orion backdoor on Dec. 12.

SolarWinds has identified two previous customer support incidents that, with the benefit of hindsight, might be related to the massive hacking campaign, Ramakrishna said. The first was investigated with a customer and two third-party security companies, and SolarWinds at the time didn’t determine the root cause of the suspicious activity or identify the presence of SUNBURST malicious code, Ramakrishna said.

The second incident occurred in November, and SolarWinds similarly didn’t identify the presence of the SUNBURST malicious code, according to Ramakrishna. SolarWinds is still investigating these incidents and is sharing information related to them with law enforcement to support investigation efforts, Ramakrishna said.

“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” Ramakrishna said. “The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships.”